The Buffer Overflow vulnerability has been around for almost 3 decades and it’s still going strong. Hackers all around the world continue to name it as their default tactic due to the huge number of susceptible web applications. But what steps are organizations (devs) taking to combat this vulnerability? What role does secure coding play in eliminating this threat? This article also includes an ethical hacker’s Buffer Overflow POC along with a brief Q&A.
As per Statista.com, over 80% of the desktop computers in use today (correct for Sep 2015) are powered by Microsoft Windows. While Windows 7 is by far the most commonly used version (51.5%), the “vintage” Windows XP is still popular with almost 10% of the share. This is where Indian ethical hacker Neeraj Godkhindi has exposed a glaring vulnerability.
A seasoned security researcher based in Bangalore, Godkhindi exploited the Buffer Overflow loophole to trick the Windows XP system and gain remote access to the machine.
How are Buffer Overflow attacks executed?
The Buffer Overflow is one of the oldest vulnerabilities known to man. It can be tracked all the way back to the late 80s, when the self-propagating Morris Worm wreaked havoc.
Modern applications implement virtual memory fundamentals, unlike physical memory addresses in old times. When virtual memory is used, application code and the processor make use of virtual memory addresses. In other words, the OS and the chipset work in sync to map and coordinate between virtual and physical memory addresses.
The temporary storage areas in the memory are also known as buffers. When the application can be tricked (usually due to coding errors) into storing more data than the buffer can hold, it overflows into adjacent buffers. This Buffer Overflow can lead to a wide range of issues, including data corruption, segmentation faults, exceptions and more.
The probability of this vulnerability differs from language to language, but C, C++ and Assembly are considered most susceptible due to their outdated memory management capabilities. Advanced hackers can initiate Buffer Overflows with specially crafted malicious payloads to cause application crashing, data theft or even give them remote access.
Hacking Windows Machines with the Buffer Overflow
Neeraj Godkhindi, a seasoned researcher with years of experience with the Windows OS, showed how he exploits a vulnerable app to gain control of the victim’s PC. He used:
- Easy RM to MP3 Converter – An application vulnerable to Buffer Overflows.
- Immunity Debugger – To monitor the state of the registers.
- Msfweb – Metasploit web version used to generate the shell code.
- Wget – To retrieve files using HTTP.
- Malicious payload/s – Written in the Perl programming language.
The “Easy RM to MP3 Converter” application doesn’t contain any form of input length verification mechanism, making it a convenient hacking medium for the POC. Godkhindi also used the debugger to monitor the status of registers and showcase how the hacking works. He then initiates the process by trying to convert a larger than allowed music file.
Once the application crashes, the hacking process is initiated. Godkhindi overrides the EIP with a 41414141 sequence. He thus shows that he can control the ESP and manipulate the Windows OS via the vulnerable application. Then he uploads a personally-crafted malicious file to the app, which makes the Windows calculator pop up. The POC is thus complete.
Godkhindi went on to say that while his POC didn’t involve anything “fancy”, hackers can wreak havoc on compromised machines after gaining shell access via this loophole.
Neeraj Godkhindi hacks into a Windows XP powered computer.
Godkhindi: “Buffer Overflows not exclusive to Windows XP.”
Neeraj Godkhindi talked to Checkmarx about Windows security. He stressed that similar hacks can also be performed on newer Windows versions (Windows 7/10).
Q – What do you think about the current level of security in Windows applications?
A – “I personally think that application security is still not where it should be. Applications have become very dynamic in nature and code integrity is not where it should be.”
Q – How can Windows applications be free of the Buffer Overflow flaws?
A – “Fuzzing and reverse engineering are effective ways to locate Buffer Overflow vulnerabilities. But unfortunately these are very difficult to implement during development.”
“I recommend the implementation of Source Code Analysis (SCA) since it’s a practical way to locate vulnerabilities in the application code, before the software is released to the market. Not only are potential Buffer Overflow pitfalls located at early, they can also help developers understand the fundamentals of secure coding,” Godkhindi explained.
Godkhindi also named security tools Windows application developers can utilize. He recommends using – /GS Stack buffer overrun detection, /SafeSEH exception handling protection, Structured Exception Handler Overwrite Protection (SEHOP), Data Execution Prevention (DEP), Address space layout randomization (ASLR) and Pointer Encoding.
The future of Windows Security
While this article has dealt specifically with the Windows platform, the buffer overflow threat exists on other systems and platforms. Application security cannot be complete without secure coding and optimal memory management. Developers have to start implementing security during the development phases to eliminate these threats.
Neeraj Godkhindi and security experts worldwide are recommending the integration of SAST solutions straight into development process. This leads to the creation of a secure Software Development Life Cycle (sSDLC), enabling the detection and mitigation of coding errors and application-layer vulnerabilities. Code integrity is thus significantly improved.
But introducing code scanning into the Software Life Cycle (SLC) is still not enough, since there are no hack-proof applications. Adopting a multi-layered approach has become crucial. For example, coupling Static Code Analysis (SCA) during the development stages with Penetration (Pen) Testing prior to release can be a formidable AppSec combo.
The time to boost Windows security is now.
|Neeraj Godkhindi (@) is an IT professional based in Bangalore, India. He currently works as a technical lead, offering his services to major financial clients from US. Besides his primary work, Godkhindi is also an ethical hacker. He has performed major attacks by using Buffer Overflows and DLL Injections, while doing his best to educate and alert developers worldwide.|